[e-lang] CVE-2009-2475
David-Sarah Hopwood
david-sarah at jacaranda.org
Wed Aug 12 03:23:22 EDT 2009
David Wagner wrote:
> Does anyone know anything more about the Java vulnerability
> CVE-2009-2475? The only information I could find (see below)
> refers to problems with mutable static variables.
>
> Would Joe-E have prevented these flaws? (Joe-E bans mutable
> static variables.)
Yes, it would (if the code in question were either Joe-E, or not exposed
by taming decisions).
> Several, potential information leaks were found in various mutable static
> variables. These could be exploited in application scenarios that execute
> untrusted scripting code.
I'm not sure why this is referred to only as an information leak; it's
both an information leak and an integrity issue (since obviously, code
using these variables cannot be defensively consistent if they are
globally mutable).
Any public static non-final variable in a Java API is necessarily a bug.
So are static variables that are final but reference mutable objects,
when access to those objects is not controlled by some security check.
--
David-Sarah Hopwood ⚥ http://davidsarah.livejournal.com
More information about the e-lang
mailing list